There are aspects of this that I do not understand. I gave my Tablo a static IP address and mapped specific external ports to a set of specific internal ports on that IP. I assume what you are saying is that because Tablo uses UPnP internally within my network, someone could use the fact that I opened those external ports and mapped them to the Tablo to piggyback on the UPnP protocol to access the rest of my network. I am trying to figure out what that would give them access to. Can they use UPnP as a gateway to hit Windows File and Print Sharing?
Not exactly. As you said, you made a risk based decision on what ports to open and that in turn allows access. Access to Windows file and printer sharing is CIFS and requires authentication. I think you are good, especially since you are cognizant of what data is important and you keep that data in a safe location. Your port forwarding, manually configured, means that only the interface to the Tablo is exposed.
The issue is that if your router is setup as an IGD, then anyone on the Internet can ask for a UPnP access, and it will be granted. At that point the external user is now inside your firewall. From that point an attacker can do many things. They can scan your network for unpatched vulnerabilities and in turn exploit them. They could attack your router as well. Almost no-one patches their home routers, and many have vulnerabilities that allow DNS redirection. DNS redirection allows the attacker to change where your browser gets DNS; that means that when you type a URL it could be redirected to a phishing or spoofed site. Imagine if the attacker builds a site that looks like your bank, only controlled by them. Poof–they have your username and password. The same could hold true for a shopping site such as Amazon. Man in the Middle attacks are possible as well.
Essentially, running UPnP on a router that is improperly configured abrogates the firewall. I would never recommend any device to be on the Internet without a firewall. Would you?
Please read the linked thread below, this is exactly why the UPnP feature exists. It has been 4 days of help from multiple forum members, multiple attempts by the OP and the OP cannot forward 3 ports properly. Yes forwarding a port on a router may seem easy to you or me but it’s obviously not that simple to all.
Another thread where UPnP came to the rescue:
I’m not weighing on the UPnP vs. no UPnP debate - except to note that in general I prefer more choices to fewer.
I wanted to share one other aspect of Tablo Remote that I have experienced. My Tablo Remote works flawlessly. However, I have noticed that the firewalls on some networks prevent a Tablo Connect connection (i.e. “Connecting . .” forever)? For example, at my place of employment, there is a network for employees and one for guests. I cannot connect to Tablo Connect on the employee network, but I can on the guest network. I think this has to to do with the firewall blocking P2P connections. Same on my daughter’s xfinity network. When I first tried to connect, I was unsuccessful. When I looked at her firewall and unticked the box that blocked P2P, Tablo Connect worked.
Anyway, maybe others have run into this? I guess a lesson here is that if Tablo Connect doesn’t work, it is not necessarily a port forwarding issue.
At my library, it just gets stuck at connecting as well. But when I went to renew my license plate, I could watch my Tablo. Both used the same Metro network, but the library must have some ports blocked.
I’ll +1 this request.
Logging in to our account should satisfy security needs. Our account login should be https and that should suffice for the web app connection.
After we login, a link on our account page beside each device to open it in the web app would be handy.
I have worked as a security consultant. Most “security” people are too “absolute” on enforcement, and most developers want to “zero rate” security.
The reality for security is a balance. You cannot ADD or INCREASE security without DECREASING or WORSENING “ease of use” or “productivity”.
Security has to be balanced. It has to defeat 80-90% of any real threats, but not destroy productivity or ease of use.
If you need to implement security that makes using your system or service really hard or difficult you have actually defeated the purpose of whatever service you have.
Now, while my home network does not have anything of value on it. I take a dim view of the spam-ware company in Europe that HACKED my DNS server setting in my modem!
And NOBODY can tell me how they did it. Was it uPNP? From outside? Inside? Maybe the ISP-loved remote management system has a flaw?
Nobody can tell me. This is why I turned OFF uPNP. Its does not seem possible to turn off the remote management protocol in my modem.
I turned uPNP back on temporarily to shake down my new Tablo. But as soon as its stable and I understand its needs, uPNP gets switched OFF. I’ll add the port forwards manually. Unless the uPNP created ones stick…
@rcooke Well said. I don’t think that an absolute number value can be applied as you suggest (80-90%), but rather a full analysis of the risks and benefits should be made to determine where the correct level of security lies.
It is important to remember that availability is one of the three legs of security.
I mentioned previously it did not work at Taco Cabana but did work at Starbucks, so it is port blocking.
Remote access is a great idea instead of pairing it. I hope TabloTV gets it up very soon. People could for example set it up at a friend’s or family member’s house (with permission) to watch out of market local channels. That would be neat!
Any updates? It’s well past “later this year”.
There have been updates to Tablo Connect to make it survive IP changes so now when you pair a device, it almost never comes unpaired. Making the need for username and password remote access even less.
I’d still like a way to access it from devices that will never visit the home network.
@TabloTV is there any development on this? Is this on the road map? I’d love to be able to access my Tablo app from our cabin which doesn’t have any antenna access.
@faganm24 - Still on the ‘would be nice’ list but we haven’t made much progress on it. We’ll be doing another customer survey soon to flesh out priorities for the rest of 2016 (aside from Android & Apple TV) and early 2017.
Beware of referendums
Haha… Indeed. Thankfully we have our own ‘article 50’ (i.e. the CEO!)
This “feature” really is a requirement. Please add it Tablo!
now 2017. Whats the word?
I really like this product in general. The video stream is fantastic. But the lack of login remote access or even Plex being fixed is lame. Now the HDHR is about overtake Tablo for every aspect that attracted me to this device to begin with. Without this I see no reason to pay the subscription cost.
Im sure you are a small outfit but since the web based access has to connect to your servers no matter what anyway. I don’t see why you can’t add some kind of login system. You could even do a 2 (or 3) step process. username/password, then device mac and/or ipv4 address of the Tablo. Granted the MAC IPV4 would be a pain but piracy would be rather difficult (id imagine, as this must be the cause of delay?)
Im not a programmer so explain to me why this hasn’t happened?
You know you can’t even schedule recordings on the Plex DVR unless you use the website on a computer right? Big fail.
I just purchased the new Tablo 2 Tuner DVR and it works well in the house, but am very disappointed with the difficulty in using it remotely, away from the house. I can take computers apart and change motherboards and deal with electronic things, but I am stupid when it comes to IP addresses and ports and subnet masks or whatever all of this is. I’ve gotten it to work, but it doesn’t work more than it works. Lately I haven’t gotten it to work at all. Why isn’t there an option for me to just simply log in from my phone or work computer to watch or schedule a program? I have a Slingbox with my Satellite DVR and you can just log in to Dish Anywhere and access it. Very disappointed that Tablo doesn’t have this ability. I’d love to ditch the Satellite, and still be able to record off air programs and watch them anywhere, but this is turning out not to be an option.